On January 28, California will ‘celebrate’ Data Privacy Day, which is a timely reminder given the amount of data that will be exchanged between you and your clients over tax season.
Do you know where your state stands on data protection?
At one extreme, Nevada and Massachusetts have very specific legislation. For example in MA, CMR 17.03 states:
“Every person that owns or licenses personal information about a resident of theCommonwealth shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate…
And CMR 17.04:
“Every person that owns or licenses personal information about a resident of the Commonwealth and electronically stores or transmits such information shall include in its written, comprehensive information security program the establishment and maintenance of a security system covering its computers, including any wireless system, that, at a minimum, and to the extent technically feasible, shall have the following elements:”
“…(3)Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly…
…(5) Encryption of all personal information stored on laptops or other portable devices;”
California is an interesting beast. Section 1798.81.5 of the Civil Code states:
“…(b) A business that owns or licenses personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.”
While it doesn’t define reasonable measures above, it does say what must happen in the event of data loss or theft of unencrypted information. Section 1798.82 of Civil Code states,
“Any agency, or a person or business that conducts business in California, that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.”
In the 2020 Audio CD CyberSecurity and Your Accounting Firm, the experts we interviewed at Stratagema estimated the cost per incident to be $250 per client. And this is just fulfilling the notification requirements. It doesn’t take into account any legal action that might result from the security breach, or the damage to your reputation.
In my opinion, regardless of your state’s stance on the issue, it’s not worth it. When it comes to data protection, I think nothing short of best practices are in order. The tools that enable secure document exchange and storage are inexpensive and easy to operate.
There are a number of options for secure data exchange:
- Utilize a portal. A portal is a permanent secure web based location where documents can be stored;
- Redact personally identifiable information before it is transmitted; or,
- Encrypt files before sending them.
In our office, we use a combination of all 3 depending on the client. Some of our clients prefer the portal (supplied by Acct1st). Inside the portal we store any number of documents which gives our clients secure, 24/7 access to them. Clients can also upload documents such W2s and K1s which helps keep our office paperless.
We can also redact particular information. Redaction is NOT taking a Sharpie to a document and specific software is required to properly redact a document. We use Adobe Acrobat Standard (not Reader). You can purchase inexpensive Acrobat licenses here.
In some instances we’ll never be able to move clients away from email. And for these clients we make sure all files are encrypted before they are sent. There are many encryption tools available, sum easier to use than others. For example Adobe Standard has this feature, and is a tool for 1-way traffic, that is encrypted emails from your office. But what about files with personally identifiable information coming from your clients?
We prefer setting up our clients on CPA Safemail by Cpaperless. This simple Outlook add in allows you to right-click a file and encrypt it before you send it to Outlook. You can create a password for the recipient or you can allow them to create their own account (and password) which will allow them to send files back to you securely.
Finally, make sure if data leaves the office in a zip drive storage device or on a laptop, make sure they are encrypted.
Please don’t hesitate to email any questions you have about this topic – I think the stakes are too high to make a mistake.
Share on Facebook
Tweet This Post